MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

30.8.10

Generally cheating strategies designed for the dissemination of false antivirus (AV Rogue) consist of online simulation of a scan for malware, showing an interface that mimics Windows Explorer and which always face the same threats, including when using operating systems other than Windows.

Conventional strategy of deceptionThis is one of the many templates. It shows a supposed scan to verify the integrity of the computer with an interface that simulates being under the Windows Explorer

However, recently launched a new strategy with similar features but using a different maneuver is to show a real video when it occurs, the event scanning. This is shown under the caption "Scan in progress. Please wait".

New strategy of deceptionIt shows a real video while the traffic is routed to a false report with the detection of a threat

While playing the video, traffic is routed to another page which displays information about alleged threats found after the scan. In this instance, presumably the information is provided by several antivirus engines listed in a strategic way to display information related to detection.

False reportAs the scan has detected malware on your system. This seeks to give notice to the users through the false report with information from multiple antivirus engines

Coincidentally, each of the "products" to detect alleged antivirus malware activity provides the opportunity to download the application that will solve the problem:

Both the beginning and the end of the video shows the words "Protect your privacy! Use only licensed software!". It contains a high psychological impact of action on the user who "entertains" watching a video about the theft of data and then read the "recommendation".

Protect your privacy!Psychological action strategy seeks to provoke a persuasive effect on users who then buy the rogue

This strategy is being channeled through the AS6851, better known as BKCNET "SIA" IZZI or SAGADE. BKCNET "SIA" IZZI serves as a "repository" to promote various criminal activities and provide cover for housing botnets and other crimeware as Koobface, ZeuS, Phoenix Exploit's Kit, BOMBA, among others, as well as some affiliated business type Pay-per-Install. In this case, solving from IP address. 85.234.191.173.

The team is completed by installing a rogue called AntiSpy Safeguard that the duration of their initial scan blocks access to operating system resources. The ultimate goal of rogue is, as usually happens, get stuck buying the application is malicious.

Purchase rogueThese pages are usually under the guise of legal services, and is whereby the offender obtained money from the sale of rogue data and credit card

With this maneuver, the offender, or affiliate program, make sure the one hand a percentage of money for the cost of the rogue, and on the other, to feed its database with information on the credit card which is then sold on the black market variable costs directly proportional to the type of credit card.

18.8.10

Criminal alternatives grow very fast in an ecosystem where day to day business opportunities are conceived through fraudulent processes. In this sense, the demand for resources for the cyber criminal isn't expected and is constantly growing.

Generally I find new crimeware looking to get a place and a good acceptance in the virtual streets of the world underground, trying to reflect a balance on the cost/benefit of the "product" promoted, that allows criminals to enter the market as quickly as possible.

Similarly, crimeware already accepted in the well-known circuit and updated looking to optimize their "quality of service." Phoenix Exploit's Kit, despite its minimalist state compared to others in its style, is one of the most active malicious crimeware today.

This paper presents a series of data on criminal activities and fraud carried out using Phoenix Exploit's Kit as channel management, how often the cycle of criminal business on this crimeware and what are the exploits found in its different versions.

15.8.10

Affiliate programs are a growing business model more profitable for criminals and create a complete circuit of spreading / malware infection among many other alternatives, encouraging its customers with a percentage of money they get in terms of success their own business.

One of the systems with greater uptake in this business model is provided by the facility payment, Pay-per-Install, where every customer gets the money for the installation of malware. That is, only to propagate malware and wait for someone to become infected.

In this circuit, each member can be either a single person as a botnet, because obviously the economic return generated by spreading the malware offenders provided by the affiliate system is massified, and botmaster benefits from a wider economic gap within a shorter time span, in addition to other veins fraudulent economically generated by botnets.

Another of these affiliate programs is Pirated Edition, whose access panel can be seen in the picture below.

Looking into the affiliate system, we find extremely minimalist model that only allows the client-offender check the amount of money earned and download the malware to spread, including updates to this.

This malicious code whose default name is limew.exe (757eda0929b94ea104a1a80825dee3e2) has a very low detection rate. According to the report of VT, is only detected by 8 of 41 AV engines.

When run, it's reported to true affiliate program that is behind this criminal circuit, in this case, answers husseta.com.

11.8.10

One of the most profitable businesses in the area computer crime, what are the affiliate programs. These are systems which adhere offenders an economic return for a commission, as in this case, for each successful installation of malware that takes place through the system distributed.

VIVA INSTALLS, belonging to the same criminal group that is facing HAPPY INSTALLS, is one of them. This system is "protected" under the AS6851 to BKCNET "SIA" IZZI (ATECH-SAGADE) in the IP address 91.188.59.51, which resolves the domain happyinstalls.com. This AS is known for its high incidence in fraudulent activities, and because it's also used for the propagation of Koobface.

The system promotes a concerned member of the malicious code more known rogue type: A-fast Antivirus.

The fake antivirus business generates several veins, regardless of the number of successful installations. On the one hand, the cost of this rogue is USD 69.65, which all those unprepared to "buy the malware" will be fueling the business.

At the same time, for the purchase you must complete a form, which should specify the information of credit card, which gives the offender more data to fraudulent activities. Without describing in detail the information in your credit card will fill in the fields of any database, which then also sold.

How is the circuit of infection?The affiliate system provides its "customers" the URL from which to download the malware, warning that not verify the integrity of the executable through public services, such Virustotal. In this case it is the setup.exe file and exe.exe (971eab628a7aac18bb29cba8849dff61), the downloader which acts as a link for the download of A-fast Antivirus.

While the system is at 91.188.59.51 members, download the rogue is from 91.188.59.112, domain a-fast.com. This maneuver, although common, shows that BKCNET "SIA" IZZI is home to a large volume of criminal activity.

How is the process of registration?
Particularly access to the circuit of the members of business means having the necessary requirements. Basically, an activation code that is issued by the affiliate system based on the recommendation of another member of "trust" that is, an offender who is already actively in the circuit and load with a period of recognized activities.

How much does the affiliate for each successful installation?
A topic of interest around the affiliate systems is how much is paid in this case, for installation?

While affiliate systems share the same business model, the cost they pay for installation is the same for each of them. In the case of VIVA INSTALLS/HAPPY INSTALLS, prices are as follows:

USD 0.30 per installation in U.S.

USD 0.20 per installation in Canada, Australia and England.

USD 0.01 for installation in other countries.

In short, VIVA INSTALLS / HAPPY INSTALLS dedicated only for the moment, promotion and distribution of only one of many (hundreds) rogue circuit forming part of the offense.

9.8.10

Phoenix Exploit's Pack (PEK) is another crimeware programs more widely accepted within the online criminal ecosystem, whose use in the past week massifies spreading a large amount of malware.

Executable binaries that are part of the campaign so far is active, spread under the default name of the executable that incorporates the package, called exe.exe. Some of the executables that are part of this campaign are: